**Scope:** A “latest-evidence-first” working map of what this repo contains, the rough chronology of the investigation, the endpoints that matter, and a concrete plan for proving transmission via packet captures correlated to on-device/runtime logs.
This file intentionally prioritizes the **post-runtime** evidence path summarized in `evidence/agents/INDEX.md` over earlier time-boxed/partial reviews.
1) Repo Goal (Operational Definition)
The repo is an evidence package asserting that Facebook iOS v345.0 contains:
- undefined
2) Brief Timeline (Latest Evidence Anchors)
This timeline is intentionally “evidence-anchored” (file/date) rather than narrative-only.
2025-12-29 (Package preparation)
- undefined
2025-12-30 (Primary on-device + runtime evidence day)
- undefined
2026-01-01 (Generated deep chain writeups)
- undefined
Current repo state (what’s missing for final “PCAP proves it” citation)
- undefined
3) Endpoints That Matter (What to Look For)
A) Remote activation / wake channel (Apple infrastructure)
- undefined
B) Real-time speech/audio streaming (“Shortwave”)
- undefined
C) Upload / laundering path (media/GraphQL)
- undefined
D) MQTT (control/config push channel)
- undefined
4) How to Prove Transmission When Payload Is Encrypted/Obfuscated
The point is not to decode raw audio; it’s to prove **microphone-derived data leaves the device** correlated to mic activation.
4.1 Minimum viable proof pattern
- undefined
4.2 What makes correlation “strong”
- undefined
5) Practical PCAP Triage Commands (tshark)
These are designed to answer “what endpoints and what flows exist?” quickly, before deeper analysis.
5.1 TLS SNI (TCP/TLS)
tshark -r CAPTURE.pcap \
-Y 'tls.handshake.extensions_server_name' \
-T fields -e frame.time -e ip.src -e ip.dst -e tcp.dstport -e tls.handshake.extensions_server_name \
| sort -u5.2 DNS queries
tshark -r CAPTURE.pcap \
-Y 'dns.qry.name' \
-T fields -e frame.time -e ip.src -e dns.qry.name \
| sort -u5.3 QUIC / UDP 443 flow inventory (when QUIC is used)
tshark -r CAPTURE.pcap \
-Y 'udp.dstport==443 || udp.srcport==443' \
-T fields -e frame.time -e ip.src -e ip.dst -e udp.length -e udp.stream \
| head5.4 Size clustering for suspected exfil flows
Once you know the server IP(s), extract packet sizes to see clustering:
tshark -r CAPTURE.pcap \
-Y 'ip.dst==SERVER_IP && (udp || tcp)' \
-T fields -e frame.time_epoch -e ip.src -e ip.dst -e udp.length -e tcp.len6) Timestamp Alignment Notes (Avoid False “No Exfil” Conclusions)
To sync timelines you need at least one shared clock reference between:
- undefined
If a runtime log lacks absolute timestamps (some Frida outputs don’t print ISO time), you can still align by:
- undefined
7) Current Workspace Reality Check (So We Don’t Over-claim)
- undefined
If you point me to where the weeklong/“latest” PCAPs are stored (or drop them into a new folder), I can produce an endpoint+timeline correlation table that upgrades “capability + runtime” into “network egress proven by capture”.